If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Enjoy an ad free experience by logging in. Not a member yet? Register.

Can AuthUserFile in .htaccess use a relative path?

I'm using .htaccess to password-protect some pages. The password file is specified with the AuthUserFile value, for example:

AuthUserFile "/home/sites/myusername/httpdocs/.htpasswd"

Now, by using this absolute path, the site cannot easily be moved to another account or even another server or hoster without changing stuff manually, because the above path won't be valid there. I'd have to manually inspect all .htaccess files in the entire site, and change the paths accordingly.

Therefore, I'd prefer to use something like:

AuthUserFile "../.htpasswd"

or

AuthUserFile "%{DOCUMENT_ROOT}/.htpasswd"

or whatever would be relative to my site's local folder. But I can't get this to work.

Is this actually possible, or does .htaccess really ONLY allow absolute paths?

(note: The %{DOCUMENT_ROOT} thing actually gives what I need in RewriteRule, can't that be used with AuthUserFile??)

AFAIK, it should be an absolute path. I can't find the info from the apache docs, though an .htaccess file is just an extension of your server's conf file. Thus we may need to follow the same rules here also.

Originally Posted by http://support.easystreet.com/hosting/unix/dynamic-config.htm#passwordprotect

The AuthUserFile directive specifies the path to the password file. This must be specified as an absolute path -- if specified as a relative path, the web server will look in its root directory, which is not where your content resides.

The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

For those who still have this issue of finding their AuthUserFile absolute path to their web space (because your web hosting site is unable to), you can make a simple php file and run it from your site to find the answer.

Use notepad and make a file called myroot.php (or any filename with the .php extension)
copy the following code into the file
--------------------------------------------
<html>
<head>
<title>Getting your AuthUserFile root location</title>
</head>
<?php
echo “<h1>Your website root location is --> “;
echo $_SERVER[‘DOCUMENT_ROOT’];
echo “ <--</h1>”;
?>
<body>
</body>
</html>
---------------------------------------------
Remember to save, and then upload it to your webspace, and run it from a browser on your webspace and copy the path to somewhere safe (and then remember to get rid of the file when you are done using it so a hacker cannot find your AuthUserFile absolute path for your web space).

It'll display the absolute path where your publically accessible webpages are kept, and more often your FTP can upload to one level up (which is a good spot for keeping password files, or making a folder from that level where the public cannot access, but since the AuthUserFile specifies an absolute path on the hard drive, you can choose a folder that you can only get to with an FTP application).

I've had a few ISP that had no clue where the site hosting was being done, much less the absolute path for my webspace, so I setup a little page for people wanting to try using htaccess.